SecRaptor logo SecRaptor

Privacy Policy

Effective Date: 19 April 2026
Version: 1.3

1. Introduction

DefZero (hereinafter "DefZero", "we", "us", or "our") operates the SecRaptor platform (the "Platform" or "Service"), a Software-as-a-Service (SaaS) security scanning and open-source intelligence (OSINT) platform. SecRaptor is a product of DefZero.

We are committed to protecting your privacy and personal data in compliance with:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR");
  • The Dutch Implementation Act on the GDPR (Uitvoeringswet AVG - "UAVG");
  • Applicable Dutch Telecommunications Act cookie and e-privacy rules; and
  • Other applicable European and Dutch data protection and e-privacy legislation.

This Privacy Policy explains how we collect, use, process, store, and protect your personal data when you use our Service. Where this Policy refers to "GDPR", it refers to Regulation (EU) 2016/679 as implemented and supplemented in the Netherlands where applicable.

2. Data Controller and Data Protection Contact

2.1 Data Controller

The data controller for Personal Data processed through the Platform is:

DefZero
Registered in the Netherlands
Chamber of Commerce (KVK) Number: 93371896
Registered Address: NOT CONFIGURED, NOT CONFIGURED NOT CONFIGURED, Netherlands
Email: support@secraptor.com
Website: https://www.secraptor.com

2.2 Data Protection Contact

For all data protection inquiries, you may contact our Data Protection Contact at:
Email: dpo@secraptor.com
Subject line: "Data Protection Inquiry - SecRaptor"

If we are legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, we will register the DPO with the relevant supervisory authority and update this section accordingly.

2.3 EU Establishment

DefZero is established in the Netherlands and is directly subject to the GDPR and UAVG. No separate EU representative under Article 27 GDPR is required.

3. Personal Data We Collect

3.1 Account and Registration Data

When you create an account or register your organization, we collect:

  • User Information: Username and email address for the account administrator, and any additional profile/contact details you later provide
  • Organization Information: Company name, business address, phone number, website URL, primary domain, location, and optional VAT number / tax ID and company registration number
  • Authentication Data: Password (stored using industry-standard one-way hashing), session identifiers, authentication tokens, and legal-acceptance records
  • Tenant Identification: Unique tenant UUID for multi-tenant isolation

3.2 Billing and Payment Data

For subscription and payment processing, we collect:

  • Billing Information: Billing address, company billing details, VAT number / tax ID where provided, invoice recipient details, and billing configuration for enterprise customers
  • Payment Data: We use Stripe as our payment processor. Payment card data is processed and stored by Stripe, not by SecRaptor. SecRaptor stores limited billing metadata such as Stripe customer IDs, Stripe subscription IDs, checkout/session references, and billing events needed to provision and administer subscriptions
  • Transaction Data: Invoice history, payment amounts, dates, subscription plans, billing cycle information, and manual-invoice records where applicable

3.3 Scan and Usage Data

When you use our security scanning services, we collect:

  • Scan Configuration: Target URLs, domains, IP addresses, scan modes (standard/full pentest), scan schedules, scan speed/concurrency/timeout settings, production-risk and scope confirmations, dangerous-payload authorization confirmations, and authentication credentials/tokens (encrypted at rest)
  • Scan Results: Vulnerability findings, exposure intelligence data, technical evidence, risk scores, compliance mappings, report exports (encrypted at rest)
  • OSINT Data: DNS records, WHOIS information, SSL/TLS certificate data, subdomain enumeration results, technology fingerprints, port scan results, publicly available exposure data
  • Platform Usage: Scan frequency, feature usage, scan duration, API usage metrics, export activities

3.4 Technical and Log Data

  • Access Logs: IP addresses (real client IP via CDN headers), timestamps, HTTP request methods, user agents, referrer URLs
  • Security Logs: Login attempts (successful/failed), password reset requests, session activities, tenant unlock/lock events, administrative actions
  • Audit Logs: Scan creation/modification/deletion, report generation/download, user management actions, billing events, security-sensitive operations, target-authorization confirmations, production-environment acknowledgments, non-production preference confirmations, and high-risk or dangerous-payload enablement records
  • Technical Data: Browser type and version, operating system, device type, screen resolution, language preferences, timezone
  • Performance Data: Page load times, API response times, error reports, crash logs

3.5 Communications Data

  • Email correspondence with our support team
  • Support ticket content and attachments
  • Feedback and survey responses
  • Chat messages (if using in-platform support chat)
  • Sample report request details, including company name, email address, request timestamp, IP address, user agent, legal-acceptance record, and delivery status when you request a sample report from our public website

3.6 Cookies and Tracking Technologies

We use cookies and similar tracking technologies. See Section 11 for detailed information.

4. Legal Bases for Processing

Under Article 6 GDPR, we process your personal data based on the following legal grounds:

Purpose Legal Basis GDPR Article
Account creation and service provision Performance of contract Article 6(1)(b)
Security scanning and vulnerability testing services Performance of contract Article 6(1)(b)
Payment processing and billing Performance of contract Article 6(1)(b)
Security and fraud prevention Legitimate interests Article 6(1)(f)
Platform security and incident response Legitimate interests / Legal obligation (NIS2 and applicable Dutch implementation) Article 6(1)(f) / (c)
Audit logging and compliance Legal obligation / Legitimate interests Article 6(1)(c) / (f)
Target authorization, production-risk, and high-risk feature acknowledgment records Performance of contract / Legitimate interests / Legal claims and compliance Article 6(1)(b) / (f) / (c)
Tax and accounting obligations Legal obligation Article 6(1)(c)
Marketing communications (opt-in) Consent Article 6(1)(a)
Sample report delivery and related follow-up communications after an explicit website opt-in Consent Article 6(1)(a)
Product improvement and analytics Legitimate interests Article 6(1)(f)

4.1 Legitimate Interests

Where we rely on legitimate interests as a legal basis, our interests include:

  • Ensuring platform security and integrity
  • Preventing fraud, abuse, and unauthorized access
  • Improving service quality and user experience
  • Protecting our legal rights and defending against claims
  • Business continuity and disaster recovery
  • Compliance with NIS2 Directive obligations and applicable Dutch implementation where relevant

We have conducted a legitimate interests assessment (LIA) and determined that our processing does not override your fundamental rights and freedoms. A copy of our LIA is available upon request to dpo@secraptor.com.

5. How We Use Your Personal Data

5.1 Service Provision

  • Create and manage your user account and tenant workspace
  • Authenticate and authorize access to the Platform
  • Execute security scans, vulnerability assessments, and OSINT operations as requested
  • Generate scan reports, export data, and provide compliance mappings
  • Provide real-time scan progress updates via WebSocket connections
  • Enable collaboration features within tenant workspaces
  • Process API requests and integrate with third-party tools

5.2 Billing and Payment

  • Process subscription payments and manage billing cycles
  • Generate invoices and maintain transaction records
  • Handle subscription upgrades, downgrades, and cancellations
  • Comply with tax and accounting obligations
  • Prevent payment fraud and chargebacks

5.3 Security and Fraud Prevention

  • Monitor for suspicious activities and unauthorized access attempts
  • Implement rate limiting and abuse prevention measures
  • Conduct security incident investigations and forensics
  • Maintain audit trails for security-sensitive operations
  • Maintain records of target authorization, production-risk acknowledgments, non-production preference confirmations, dangerous-payload authorization, scan settings, and related scope-control decisions
  • Respond to security incidents under NIS2 Directive obligations and applicable Dutch implementation where relevant

5.4 Communications

  • Send transactional emails (account confirmations, password resets, scan completion notifications)
  • Provide customer support and respond to inquiries
  • Send service announcements, security alerts, and critical updates
  • Send marketing communications only with your explicit consent, with easy opt-out, in compliance with applicable Dutch and European e-privacy rules
  • Send the requested sample report and follow up with you about that request when you explicitly consent on the sample-report form

5.5 Service Improvement and Analytics

  • Analyze platform usage patterns to improve features and performance
  • Conduct research to enhance scanning accuracy and reduce false positives
  • Develop new security detection capabilities and intelligence feeds
  • Generate aggregated, anonymized statistics (never disclosed with identifying information)

5.6 Legal Compliance

  • Comply with legal obligations under GDPR, UAVG, NIS2, applicable Dutch implementation, and other applicable laws
  • Respond to lawful requests from authorities (court orders, regulatory inquiries)
  • Establish, exercise, or defend legal claims
  • Evidence customer instructions, target authorization, production-risk acceptance, and high-risk feature consent where a scan causes or is alleged to cause operational impact
  • Maintain records for regulatory audits and inspections

6. Data Sharing and Disclosure

General Principle: We do not sell, rent, or trade your personal data to third parties. We only share data as described below.

6.1 Service Providers and Processors (Article 28 GDPR)

We engage carefully vetted third-party service providers to assist in operating our Platform. These processors act on our instructions and under Data Processing Agreements (DPAs) that comply with Article 28 GDPR:

Service Provider Purpose Location Safeguards
Stripe Payment processing USA/EU EU-US Data Privacy Framework (DPF); EU SCCs where applicable
Cloud Infrastructure Provider Hosting and storage EU regions (for example Germany and/or Ireland, depending on deployment) GDPR-compliant DPA; EU SCCs where applicable
Email Service Provider (e.g., Google Workspace) Transactional and support emails Global Provider DPA; EU SCCs where applicable
CDN Provider (Cloudflare) Content delivery and DDoS protection Global (EU data residency options) EU SCCs; Data Localization Suite where applicable

A current list of sub-processors is maintained at a stable URL or made available by other durable written means upon request. Where required by law, we provide at least 14 days' prior notice of material changes to sub-processors and allow customers to object on reasonable data protection grounds during that period.

6.2 Legal Requirements and Public Authorities

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities, including:

  • Compliance with legal obligations (e.g., court orders, subpoenas, or orders from competent courts or regulators)
  • Cooperation with law enforcement or regulatory investigations
  • Protection of national security or public safety (under strict legal criteria)
  • Enforcement of our Terms of Service and protection of our rights

We will assess the legality of each request and, where permitted, notify you before disclosure unless legally prohibited. We will disclose only the minimum data necessary.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to a successor entity. We will notify you via email and/or prominent notice on our Platform at least 30 days before such transfer, and you will have the opportunity to delete your account before the transfer.

6.4 Within Tenant Organizations

Within your tenant workspace, authorized users (as designated by your organization's administrator) may access shared scan results, reports, and configuration data. You control user permissions within your tenant.

6.5 No Data Sharing for Marketing

We do not share your personal data with third parties for their direct marketing purposes.

7. International Data Transfers

7.1 Data Residency

We primarily store and process data within the European Union (EU) and European Economic Area (EEA), using EU hosting regions selected for the deployment in question. Data may also be processed by limited subprocessors such as payment, email, CDN, and security providers in other jurisdictions subject to appropriate safeguards.

7.2 Transfers Outside the EU/EEA

In limited circumstances, your data may be transferred to countries outside the EU/EEA (e.g., for payment processing via Stripe). Where such transfers occur, we ensure adequate protection through:

  • EU Standard Contractual Clauses (SCCs): EU Commission-approved contract terms (Implementing Decision (EU) 2021/914)
  • EU-US Data Privacy Framework (DPF): For transfers to DPF-certified US organizations (EU Commission Adequacy Decision C(2023) 4745)
  • EU Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection (Article 45 EU GDPR)
  • Supplementary Measures: Additional technical and organizational safeguards as recommended by the European Data Protection Board (EDPB)

7.3 Your Rights Regarding International Transfers

You may request:

  • A copy of the Standard Contractual Clauses we use where applicable
  • Information about the safeguards in place for specific transfers
  • A copy of any relevant Transfer Risk Assessment

Contact dpo@secraptor.com for such requests.

8. Data Retention

8.1 Retention Periods

Data Category Retention Period Legal Basis
Account data (active accounts) Duration of service + 30 days after termination Contract performance
Scan results and reports Duration of service + 30 days after termination (service data purge window) Contract performance, legitimate interests
Billing and payment records 7 years (or longer where required by applicable tax, accounting, or corporate recordkeeping law) Legal obligation
Audit and security logs 12 months, and at least the duration of service plus 30 days where longer retention is not required Legal obligation, legitimate interests
Target authorization, production-risk acknowledgment, non-production preference, dangerous-payload consent, and related legal-acceptance records Duration of service + 7 years where needed to establish, exercise, or defend legal claims, or shorter where the record is no longer necessary Contract performance, legitimate interests, legal claims and compliance
Support communications 3 years after closure of ticket Legitimate interests
Marketing consent records Until consent withdrawn + 1 year (proof of consent) Legal obligation (accountability)
Anonymized analytics data Indefinitely (no personal data) Not applicable (anonymized)

8.2 Retention Principles

  • We retain data only as long as necessary for the purposes stated in this Policy
  • After retention periods expire, data is securely deleted or anonymized
  • Encrypted data is deleted by securely destroying encryption keys
  • We may retain certain records for longer where required by law (e.g., accounting, tax, and corporate records)
  • We may retain legal-acceptance, target-authorization, production-risk, and high-risk feature acknowledgment records where necessary to evidence customer instructions or defend legal claims
  • You may request earlier deletion (subject to legal obligations) — see Section 9

8.3 Automated Deletion

Our platform implements automated cleanup tasks that permanently delete service data after the configured service data purge window has elapsed following termination.

9. Your Data Protection Rights

As a data subject under the GDPR, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain:

  • Confirmation whether we process your personal data
  • A copy of your personal data in a structured, commonly used format
  • Information about processing purposes, categories, recipients, retention periods

How to exercise: Email dpo@secraptor.com with subject "Data Access Request". We will respond within one calendar month (extendable by two further months for complex requests, with explanation), as required by Article 12(3) GDPR.

9.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: You can update most information in your account settings, or email dpo@secraptor.com.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

  • Data is no longer necessary for the purposes collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data was unlawfully processed
  • Deletion is required for legal compliance

Limitations: We may retain data where required for legal obligations (e.g., tax or accounting records retained under applicable law) or to establish/defend legal claims.

How to exercise: Email dpo@secraptor.com. If you are a tenant admin and want SecRaptor service data purged, use the Billing cancellation flow (where available) or contact us; service data is deleted after the service data purge window.

9.4 Right to Restriction of Processing (Article 18)

You may request restricted processing (storage only) when:

  • You contest the accuracy of data (pending verification)
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (pending verification of legitimate grounds)

How to exercise: Email dpo@secraptor.com with specific details.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, machine-readable format (JSON/CSV) and transmit it to another controller where:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

How to exercise: Email dpo@secraptor.com. We provide scan data exports in JSON format.

9.6 Right to Object (Article 21)

You have the right to object to processing based on:

  • Legitimate interests (Article 6(1)(f)): You may object at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Direct marketing: You have an absolute right to object to marketing. Use the "unsubscribe" link in emails or contact dpo@secraptor.com.

9.7 Rights Related to Automated Decision-Making (Article 22)

We do not conduct automated decision-making or profiling that produces legal or similarly significant effects about you. Risk scoring and vulnerability prioritization are technical assessments of systems, not decisions about individuals.

9.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise: Email dpo@secraptor.com or adjust settings in your account.

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

Netherlands — Autoriteit Persoonsgegevens (AP):
Website: https://autoriteitpersoonsgegevens.nl

If you are located in the EU/EEA, you also have the right to lodge a complaint with your local supervisory authority. A list of EU/EEA Data Protection Authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

9.10 No Fee (Usually)

We do not charge a fee to exercise your rights unless your request is manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable administrative fee or refuse to act on the request.

10. Data Security

10.1 Technical and Organizational Measures

We implement state-of-the-art security measures in accordance with Article 32 GDPR:

Encryption

  • Data in Transit: TLS 1.3 encryption for all data transmissions
  • Data at Rest: AES-256-GCM or ChaCha20-Poly1305 encryption for sensitive files (scan results, reports, credentials)
  • Password Storage: Bcrypt/scrypt hashing with per-user salts (never plain text)
  • Tenant-Specific Encryption: Per-tenant master keys derived from tenant secrets + server pepper + tenant UUID

Access Controls

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-tenant isolation (row-level tenant_uuid filtering, isolated storage directories)
  • Session management with secure cookies, expiry, and re-authentication for sensitive actions
  • Two-factor authentication (2FA) available for user accounts

Network Security

  • Web Application Firewall (WAF) protection via Cloudflare
  • DDoS mitigation and rate limiting (Redis-backed)
  • Intrusion detection and prevention systems (IDS/IPS)
  • Regular penetration testing and vulnerability assessments

Application Security

  • Input validation and sanitization (XSS, SQL injection, command injection prevention)
  • Content Security Policy (CSP) headers
  • Secure headers (HSTS, X-Frame-Options, X-Content-Type-Options)
  • Dependency scanning and automated security updates

Operational Security

  • Comprehensive audit logging of security-sensitive operations
  • Automated monitoring and alerting for anomalous activities
  • Incident response plan and breach notification procedures
  • Regular security awareness training for staff
  • Background checks for personnel with access to production systems

Infrastructure Security

  • EU-based data centers with appropriate physical and organizational security controls
  • Physical security controls (biometric access, 24/7 surveillance)
  • Redundant backups with encryption at rest
  • Disaster recovery and business continuity plans

10.2 Security Program

We maintain a security program designed to protect the Service and Customer Data. We do not represent that DefZero or the Service holds any specific compliance certification unless we explicitly state so in writing (e.g., in an Order Form).

10.3 Data Breach Notification

In the event of a personal data breach, we will:

  1. Notify the competent supervisory authority, including the Autoriteit Persoonsgegevens where applicable, within 72 hours of becoming aware of the breach where it is likely to result in a risk to individuals' rights and freedoms (Article 33 GDPR)
  2. Notify affected data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms (Article 34 GDPR)
  3. Document all breaches, including facts, effects, and remedial actions taken

10.4 Your Security Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your account credentials
  • Notifying us immediately of any unauthorized access or security breach
  • Using strong, unique passwords and enabling 2FA
  • Ensuring your scan targets are authorized (see our Terms of Service)

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files stored on your device by your browser. We use cookies and similar technologies (including local storage and session storage) to operate, secure, and, where enabled, measure use of our Service.

11.2 Applicable Cookie Laws

Cookies and similar storage/access technologies are regulated by:

  • Netherlands: Applicable Dutch Telecommunications Act cookie rules
  • European Union / EEA: Applicable national ePrivacy or cookie rules implementing Article 5(3) of the ePrivacy Directive

These rules generally require prior informed consent for non-essential cookies. Strictly necessary cookies are generally exempt from the consent requirement under applicable law.

11.3 Types of Cookies We Use

Some processing is strictly necessary to provide the Service and secure the site. This includes, for example, authentication/session cookies, CSRF protection, network delivery, WAF/DDoS protection, anti-abuse controls, and security logging. This processing occurs regardless of cookie preferences. Cookie consent controls only non-essential technologies, such as optional analytics, and does not disable necessary security telemetry or core account/session functionality.

Cookie Type Purpose Duration Legal Basis
Strictly Necessary Session authentication, security, load balancing, CSRF protection Session (deleted when browser closed) or 30 days Exempt from consent where strictly necessary under applicable law
Functional / Preference Remember consent or user-interface preferences where enabled 1 year Consent (via cookie banner)
Performance/Analytics Understand platform usage, identify errors, and improve performance where analytics is enabled 1 year Consent (via cookie banner)

11.4 Third-Party Cookies

We may use limited third-party services that set or rely on cookies or similar technologies:

  • Stripe: Payment processing (strictly necessary for payment)
  • Cloudflare: CDN and security services (strictly necessary for DDoS protection)

We do not use third-party advertising cookies. Optional analytics technologies, if enabled, are non-essential and subject to consent.

11.5 Managing Cookies

You can control cookies through:

  • Cookie Banner: Accept all, reject non-essential cookies, or manage preferences on first visit. Rejecting non-essential cookies is designed to be as easy as accepting them
  • Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies. Disabling strictly necessary cookies may impair login, session continuity, and security protections
  • Cookie Preferences: Adjust preferences in the cookie preferences page or any in-platform settings we make available

11.6 Do Not Track

Our Platform does not currently respond to "Do Not Track" (DNT) signals as there is no industry-wide standard. We honor cookie preferences set via our cookie banner.

12. Children's Privacy

Our Service is not directed to individuals under the age of 18. The Service is a B2B platform for business use only.

For reference, the minimum age of digital consent is:

  • Netherlands: 16 years under the UAVG for information society services based on consent
  • EU/EEA: The applicable age threshold may vary by Member State

We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take immediate steps to delete such data.

If you believe we have inadvertently collected data from a child, please contact us immediately at dpo@secraptor.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

13.1 Notification of Changes

  • Material Changes: We will notify you at least 30 days in advance via email and/or prominent in-platform notice. Material changes include expanded data collection, new third-party sharing, or reduced rights.
  • Non-Material Changes: We will publish the revised effective date and may provide in-platform notification.

13.2 Continued Use

By continuing to use the Service after changes become effective, you accept the updated Privacy Policy with respect to processing based on contract performance or legitimate interests. Where our processing relies on your consent, material changes will require fresh consent. If you do not agree with changes, you may terminate your account before they take effect.

13.3 Version History

Previous versions of this Privacy Policy are available upon request to dpo@secraptor.com.

14. Jurisdiction-Specific Provisions

14.1 Netherlands (UAVG)

As DefZero is established in the Netherlands, the following additional provisions apply where relevant:

  • Your data is protected under the GDPR and the Dutch Implementation Act on the GDPR (UAVG).
  • The Autoriteit Persoonsgegevens is the Dutch supervisory authority. You may lodge a complaint at https://autoriteitpersoonsgegevens.nl (see Section 9.9).
  • Electronic marketing communications are governed by applicable Dutch and European e-privacy rules. We will only send direct marketing with your prior consent, and every message includes an unsubscribe mechanism.
  • The Service is a B2B platform and is not directed to children.

14.2 European Union / EEA

If you are located in another EU/EEA Member State, the GDPR and applicable national implementing legislation may apply to the processing of your personal data. You may contact your local supervisory authority for complaints (see Section 9.9).

15. Contact Us

For Privacy and Data Protection Inquiries:

Data Protection Contact
DefZero
Email: dpo@secraptor.com
Subject Line: "Data Protection Inquiry - SecRaptor"

For General Inquiries:

Email: support@secraptor.com
Website: https://www.secraptor.com

Response Time:

We will respond to privacy requests within one calendar month (extendable by two further months for complex requests, with explanation), as required by Article 12(3) GDPR.

16. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person (GDPR Article 4(1))
  • "Processing": Any operation performed on personal data, including collection, storage, use, disclosure, or deletion (GDPR Article 4(2))
  • "Data Controller": The entity that determines the purposes and means of processing (DefZero)
  • "Data Processor": An entity that processes data on behalf of the controller (e.g., our hosting provider)
  • "Data Subject": The individual to whom personal data relates (you)
  • "Tenant": An isolated organizational workspace within the SecRaptor platform
  • "OSINT": Open-Source Intelligence — publicly available information collected from external sources
  • "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council
  • "UAVG": The Dutch Implementation Act on the GDPR (Uitvoeringswet AVG)
  • "AP": The Autoriteit Persoonsgegevens, the Dutch data protection supervisory authority

DefZero - SecRaptor Platform
Privacy Policy Version 1.3 - Effective 19 April 2026
© 2026 DefZero. All rights reserved.